Impact
The vulnerability is an unauthenticated SQL injection flaw in the Funnel Builder by FunnelKit plugin up to version 3.15.0.1. By sending specially crafted input, an attacker can inject arbitrary SQL statements into the plugin’s database queries. This allows the attacker to read, modify, or delete data stored in the WordPress database, potentially exposing sensitive user information, compromising site functionality, or facilitating further attacks against the underlying web application. The weakness is identified as CWE-89 and scored highly for its impact.
Affected Systems
All installations of the Funnel Builder by FunnelKit plugin with versions 3.15.0.1 or earlier are affected. Administrators should verify the plugin version in use and apply the update to at least 3.15.0.2, which contains the security fix.
Risk and Exploitability
The CVSS score of 9.3 reflects a severe risk, while the EPSS score of less than 1% indicates a low estimated probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it via the web interface with no authentication required, meaning any visitor to the site can potentially execute arbitrary SQL commands against the database. The scale of the threat is global across all sites running the affected plugin versions.
OpenCVE Enrichment